-FreeRADIUS 2.0.0 ; $Date$, urgency=low
- * Use certificate chains, to support n-tier certificates.
- Patch from Mohammed Petiwala, closes bug #112.
- * Permit per-socket list of clients in "listen" directives
- * Faster client lookups, to permit scaling to 10^6 or more clients.
- * Removed radrelay and radsqlrelay. See "man radrelay.conf" for
- details.
- * Full IPv6 support. The server can listen on IPv6 sockets,
- and send/receive IPv6 packets.
- * rlm_ns_mta_md5 is deprecated. rlm_pap does everything it does,
- and more.
- * The command-line options "-i ipaddr" and "-p port" now work.
- * rlm_unix no longer reads /etc/passwd (etc.) directly. See
- "man rlm_unix" for details. Also see the "authorize" section
- of "radiusd.conf".
- * Configuration files now use binary trees, which means that
- arbitrary amounts of information can be stored in them.
- * Fixed xlat's for %{config:...}. Dynamic expanstion now works
- better, so %{config:section.subsection.%{User-Name}.item" works,
- even if the User-Name contains periods. This is a cheap way
- of getting in-memory databases, as anything can be put into
- the configuration files.
- * Fix locking issues for radrelay.
- * Add radsqlrelay, which works like radrelay, but reads data
- from an SQL database.
- * rlm_ldap now auto-discovers password headers. See the "ldap"
- subsection of "modules", in "radiusd.conf" for details.
- * rlm_pap now auto-discovers password encryption/hash methods.
- See "man rlm_pap" and the "authorize" section of "radiusd.conf".
- * Don't call exit() if module instantiation files.
- * "virtual" modules can now be used. See the last bit of the
- "instantiate" section in "radiusd.conf".
- * Fix problems with Exec-Program-Wait & forking issues.
- * Configuration files can now "$INCLUDE directory/", to automatically
- load all files in that directory. Use with caution!
- * Fix for log_dest = stdout/stderr.
- * New "policy" module, which has none of the limitations of the
- "users" file. See "man rlm_policy" for details.
- * Added even more dictionaries.
- * rlm_sql can now behave more like the "users" file.
- * New rlm_caching module.
- * Now uses autoconf 2.5x, and the various associated tools.
- * Include ucd-snmp-config.h, fixing use of net-snmp's
- ucd-snmp backwards compatibility mode.
- * Modules can now be load-balanced. See "doc/configurable_failover"
- * Move the Login-Time,Current-Time,Expiration attribute handling
- to new modules rlm_logintime and rlm_expiration.
- * Added %{mschap:NT-Hash <passwd>} and %{mschap: LM-Hash <passwd>},
- and update rlm_pap to handle NT/LM-hashed passwords.
- * New rlm_protocol_filter, which permits/denies requests containing
- certain attributes.
- * Don't escape printed strings during xlat's, to avoid the
- infinite expansion of backslashes..
- * rlm_eap now uses trees, rather than linked lists, to maintain
- it's list of active sessions.
- * Silently drop packets with bad Message-Authenticators, as per RFC3579
- * Add Message-Authenticator to rlm_digest sample.
- * Fix MD4 calculation on big-endian machines.
- * Correct handling of post-auth REJECT stanza to include externally and
- proxy-received rejections. (Bugzilla bug #149)
- * Fix building SNMP support on Solaris 9, which needs -lkstat
+FreeRADIUS 1.1.0 ; $Date$, urgency=low
+ * Copied dictionaries from the CVS head (many, many, more vendors)
+ * Enabled support for weird VSA formats, like Lucent and Starent.
+ * Support encrypted IP address and integers, for Juniper clients.
+ * Don't leak memory in module "rlm_sql".
+ * Update the dictionaries, so that VALUEs with the same name,
+ but different numbers, aren't allowed.
+ * Add PEAP machine authentication support in module "rlm_mschap".
+ * Queue the request before looking for available threads.
+ * Don't free the check items after we received the proxy reply.
+ * Expand config variables in included files, too.
+ * Check the return value of accounting modules and don't proxy
+ invalid requests.
+ * In rlm_passwd, don't close a file stream more than once.
+ * Fix format string errors in rlm_sql.c, spotted by Primoz Bratanic.
+ * Walk the whole string in when escaping strings in rlm_ldap.
+ * Include crypt.h if it is available so we get a prototype for crypt(),
+ spotted by Konstantin Kubatkin.
+ * Removed (for almost all uses) length restrictions on vendor names
+ and VALUE names.
++ * rlm_x99_token has become rlm_otp (with lots of changes).
+
+FreeRADIUS 1.0.5 ; Date: 2005/09/04 16:23:00, urgency=medium
+ Security Fixes
+ * SQL injection attack in the module "rlm_sqlcounter".
+ * Buffer overflows in the module "rlm_sqlcounter".
+ * Expansion of variable %t may write 26 bytes beyond the buffer
+ bound. Primoz Bratanic is credited with the discovery of these
+ three bugs.
+
+ Bug fixes
+ * Don't de-reference a NULL pointer if the auth-type is unknown
+ in the function rad_check_password().
+ * Escape more characters in the LDAP queries.
+ Bug found by Suse engineers.
+ * In rlm_sql_unixodbc, don't call rad_malloc from sql_error(),
+ it leaks memory.
+ * Fix an off-by-one error in the module rlm_sql_unixodbc.
+ Bug found by Suse engineers.
+ * In rlm_sql, resize the buffer for the value of SQL-User-Name.
+ * Initialize memory for a new SQL socket in the module rlm_sql.
+ * Don't add too many attributes after running an external program.
+ Bug found by Suse engineers.
+ * Fix an off-by-one error in the function getthing().
+ * snprintf() and vsnprintf() replacements were not compiled if
+ the autoconf tests didn't find the functions.
+ * Don't use vsprintf() anymore, but the replacement for vsnprintf()
+ in libradius instead.
+ * The function decode_attribute() may write beyond buffer bounds.
+ Bug found by Suse engineers.
+ * Fix a memset() in the function request_enqueue() which was
+ begining at the wrong address. Bug found by Matthias Ruttman.
+ * Fix an off-by-one error in the function xlat_copy().
+ Bug found by Primoz Bratanic.
+ * Fix other off-by-one errors in module "rlm_unix", too.
+ Bug found by Allan Bazinet.
+ * Fix a 2-byte over-run read in function rad_decode().
+ * Update thread pool queue properly.
+ * Autonconf tests try first any user-specified directory,
+ otherwise they may pick up the wrong version.
+ * Delete the autoconf tests for the libldap dependancies.
+ * Install all the regular files under the "doc" directory.
+ * Distinguish between exit code <0 (failure) and >0 (reject)
+ in Exec-Program-Wait. Patch from Thor Spruyt.
+ * Make Expiration work.
+ * Clean up the code for opening a proxy socket.
+ * When finding a realm to proxy to, if all are dead, wake them
+ if wake_all_if_all_dead is true.
+ * In radwho, print the NAS-Port as unsigned int.
+ * Use extended regex instead of basic regex in rlm_attr_filter.
+ * Catch the case where someone deletes a directory that rlm_detail
+ is using.
+ * Use the variable $(LDFLAGS) when linking a module.
+ * Ignore the Stripped-User-Name when a realm has the "nostrip"
+ directive.
+ * Add support for NT-Password in rlm_pap.
+ * In rlm_sqlcounter, use the time left to the next reset if it's
+ inferior to the time left in the counter.
+ * Calculate Message-Authenticator correctly for Accounting-Request
+ and Accounting-Response. Bug found by Paolo Rotela.
+ * Build on MAC OS X. Still need --disable-shared, though.
+ * Fix bug #255 (crash with expired CRL's, etc.)
+ * Fix quote removal of the values from a SQL database.
+ * Reap the zombie process after a command run from "Exec-Program".
+ * Allow to cancel proxy of accounting with "Proxy-To-Realm := LOCAL".
+ * Don't copy VSA's to an Access-Reject packet.
+
+FreeRADIUS 1.0.4 ; Date: 2005/06/11 22:46:52, urgency=medium
+ * Fix installation problem.
+ * Increase a buffer size, so radrelay doesn't truncate values.
+ * Updates in the documentation. Patches from Thor Spruyt.
+
+FreeRADIUS 1.0.3 ; Date: 2005/06/03 17:15:11, urgency=high
+ Security Fixes
+ * Always escape the strings in the SQL module.
+ * Check buffer bound when input character needs escaping in
+ the SQL module. Bug found by Primoz Bratanic.
+
+ Bug fixes
+ * Return EAP-Fail in Access-Reject, rather than an empty Access-Reject
+ * Don't send Proxy-State from home server in TTLS.
+ * Fixes for forking external programs, so the server doesn't
+ suddenly stop processing requests, or stop forking programs.
+ * radzap now works, but it's command-line options have changed
+ completely, and it's a shell script.
+ * radwho has updated command-line options, and no longer reads
+ Unix "utmp" files.
* Fix bug in calling checkrad script with NAS port > 9999999
* Fix long-standing bug when both crypt and pthreads are in use
+ * Don't SEGV when rlm_sql gets 'NULL' value from request.
+ * Re-arrange code in radrelay to not duplicate accounting packets.
+ * In rlm_attr_rewrite, change the value when the attribute type
+ is different from string.
-FreeRADIUS 1.0.1 ; Date: 2004/09/02 10:52:03, urgency=high
+FreeRADIUS 1.0.2 ; Date: 2005/02/13 01:03:20, urgency=medium
+ * Novell eDirectoty support. Patch from Novell.
+ * localweb & Trapeze dictionary updates.
+ * EAP-SIM fixes.
+ * Make "Strip-User-Name = No" work.
+ * Don't declare zero-length arrays in rlm_passwd
+ * Bug fix to make udpfromto code work
+ * radrelay shouldn't dump core if it can't read a VP from the
+ detail file.
+ * Only initialize the random pool once.
+ * In rlm_sql, don't escape characters twice.
+ * Fix MD4 calculation on big-endian machines.
+ * In rlm_ldap, only claim Auth-Type if a plain text password is present.
+ * Treat Quintium VSAs like Cisco VSAs
+ * Locking fixes in threading code
+ * rlm_krb5 includes /usr/include/et for Fedora Core
+ * Fix post-auth REJECT stanza processing for rejections from external
+ processes or home RADIUS servers
+ * Fix building on gcc-4.0 by not trying to access static auth_port from
+ other files.
+ * Fix building SNMP support on Solaris 9, which needs -lkstat
+
+FreeRADIUS 1.0.1 ; Date: 2004/09/02 10:52:03 , urgency=high
Denial-of-Service Security Fix
* Fix two remote crashes and a memory leak in RADIUS packet
decoding.